TroveStays All legal documents

Version 1.0.1 · Effective 2026-06-22 · Operated by Kindleye Limited (Hong Kong)

TroveStays — Privacy Policy

This Privacy Policy explains what personal data TroveStays collects about you, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It is written to comply with the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) ("PDPO") and the Data Protection Principles ("DPPs") set out in Schedule 1 to the PDPO. It is part of our Terms and Conditions and applies to everyone who uses TroveStays.

A separate, shorter notice — our Personal Information Collection Statement ("PICS") — is shown to you at the point where each category of personal data is collected (at signup, at checkout, at creator-payout onboarding, and when you grant camera or photo-library access). The PICS is the document that the PDPO requires us to give you at the point of collection. This Privacy Policy is the longer-form companion to those PICS.


1. Who we are

1.1 The data user. Your personal data is collected and held by Kindleye Limited, a Hong Kong company with Business Registration number 79777743 and registered office at 26 Square Street, Sheung Wan, Hong Kong. In PDPO terms, Kindleye Limited is the "data user" — equivalent to the "data controller" in other jurisdictions. Where this Policy says "TroveStays", "we", "us", or "our", that is who is meant.

1.2 Privacy contact. Our contact for privacy matters, including PDPO data-access and correction requests, is support@trovestays.com. We treat that mailbox as our Data Protection Officer contact channel even where appointing a DPO is not mandatory.


2. The personal data we collect

For convenience the table below groups every category of personal data we collect or generate about you. The categories track the actual database schema and integrations used by the TroveStays Service.

2.1 Identity and account data

Data Source Why we collect it
Email address You, at signup Account identification, login, transactional emails
Password (stored as a salted bcrypt hash, never as plain text) You, at signup Authenticating you when you log in
Username (lower-case, alphanumeric, dot or underscore allowed) You, at signup Public identifier on the Platform
Display name You, at signup or in profile edit Public name on the Platform
Avatar (image you upload) You, in profile edit Your public profile picture
Bio text You, in profile edit Public profile description
Instagram handle (optional) You, in profile edit To let other Users find your Instagram
User type ("traveler" or "creator") Set on your behalf at signup; can change later Routing you to the right features

2.2 Preferences and personalisation

Data Source Why we collect it
Preferred currency (ISO-4217 code) You, at signup or in profile edit Showing prices in your currency
Nationality (ISO-3166 alpha-2 code) You, at signup or in profile edit Required by some Suppliers/LiteAPI for accurate rates and rules
Travel-style and destination preferences (JSON) You, in onboarding/profile Personalising the Discover feed

2.3 Booking data (Travellers)

Data Source Why we collect it
Guest first name You, at checkout Required by the Supplier to identify the guest
Guest last name You, at checkout Same
Guest email You, at checkout Supplier and LiteAPI booking confirmation
Guest phone number You, at checkout — passed to LiteAPI only; not stored by TroveStays Supplier contact in case of operational issues
Number of adults, number of children, age of each child (0–17), number of rooms, check-in / check-out dates, room name You, at checkout The booking itself
Booking outcome data: LiteAPI booking ID, prebook ID, hotel confirmation code, selling price, net rate, currency, transaction ID (a payment-reference token, not a card number), payment method, payment status, cancellation status, cancellation fee, amount refunded, compensation amount and currency (if any) Computed by us and returned by LiteAPI/Stripe Operating, supporting, and reconciling your booking

2.4 Payment data

Data Source Why we collect it
Card number, expiry, CVV Never collected by TroveStays. Entered by you into a payment iframe hosted by LiteAPI / Stripe. Charging your card for the booking
Transaction ID (Stripe charge reference returned by LiteAPI's widget) LiteAPI/Stripe Reconciling and refunding the booking
Payment method category (e.g. "credit card", "wallet") LiteAPI Operational record-keeping

2.5 Creator payout data (Creators only)

Data Source Why we collect it
Stripe connected account ID (acct_* — an opaque identifier, not a bank account number) Stripe (via Stripe Connect) Routing payouts to you
Bank country (ISO-3166 alpha-2) You, at payout onboarding Setting up the Stripe Connect account
Stripe KYC requirement status (a list of fields Stripe is still waiting on) Stripe Showing you what you need to complete onboarding
Capabilities (charges_enabled, payouts_enabled, details_submitted) Stripe Knowing whether we can pay you
Disabled-reason text (if Stripe restricts the account) Stripe Telling you what to fix
Your bank account number, identity documents, tax identification number, and KYC documents Never collected by TroveStays. Submitted by you directly to Stripe via Stripe's secure flow. KYC, AML, and payout
Payout records: gross amount, debt applied, net amount, currency, Stripe transfer ID, Stripe payout ID, period start/end, status, failure code/message (if any) Computed by us, returned by Stripe Paying you correctly and auditably
Commission and clawback records Computed by us Tracking what you have earned, what is on hold, and what has been clawed back

2.6 User-generated content and engagement

Data Source Why we collect it
Posts (caption, hotel attribution, optional verified-stay link) You, when posting The core social feature
Videos Uploaded by you directly to Mux (we never store the video file in our database; we only store Mux's asset and playback identifiers and quality metadata) Hosting and streaming your video
Photos (where used) Uploaded by you to Supabase Storage Hosting and serving the image
Comments You Discussion on posts
Likes, follows, saves, collections You Personalisation and social graph
Post impressions (which posts you saw, how many times, when last seen) Captured by us when you view content for ~2.5 seconds or more Ranking the Discover feed so we do not repeat content you have already seen
Reviews (overall, cleanliness, location, service, value scores; written review body; booked vs actual room name) You, after a stay Quality measurement of hotels on the Platform; not currently shown to other Users at the date of this Policy (see clause 7)

2.7 Device and notification data

Data Source Why we collect it
Expo push notification token Generated when you grant notification permission on your device Sending notifications
Device type (iOS / Android / Web) Captured by the Expo framework Operations and debugging
Approximate location (only on Android when you grant permission to the Google Map view) Your device, if you grant permission Showing your position on the map

2.8 Communications and support

Data Source Why we collect it
Messages you send to support@trovestays.com, support@trovestays.com, or support@trovestays.com You Responding to your enquiry, complaint, or notice

2.9 What we do not collect


3. How we collect personal data

3.1 Directly from you — when you create your account, edit your profile, complete a booking, post content, configure your payout account, message us, or interact with notifications.

3.2 From your device — push notification tokens, device type, app version, and (on Android, with permission) approximate location.

3.3 From the third parties we work with — LiteAPI sends us booking confirmations, payment statuses, refund outcomes, and cancellation events about your bookings; Stripe sends us account-status and transfer events about Creator payouts; Mux sends us video-processing outcomes.

3.4 From the way you use the Platform — analytics events that are not personally targeted but are recorded with your user ID for operational purposes (for example, post-impression records used to avoid showing you the same content twice).


4. Why we use your personal data — the purposes (DPP1)

We use your personal data for the following purposes, each of which is directly related to running the Platform:

  1. Providing the Service — letting you sign in, browse hotels, post content, complete a booking, leave a review, and otherwise use TroveStays as intended.
  2. Booking processing — sharing the minimum personal data necessary with LiteAPI (and, through them, with the Supplier hotel) to confirm and operate your stay.
  3. Payment processing — facilitating LiteAPI's secure widget so your card can be charged on behalf of the Supplier.
  4. Creator payouts — onboarding you to Stripe Connect, computing what you have earned, and arranging monthly transfers.
  5. Personalising the Discover feed — ranking content so you see things that match your preferences and so you do not repeatedly see the same posts.
  6. Notifications — sending transactional notifications (booking confirmation, cancellation, refund, new comment on your post, new post by a Creator you follow) and, where you have given express consent, promotional notifications.
  7. Customer support — responding to your messages, investigating complaints, handling disputes.
  8. Fraud prevention, security, and abuse detection — protecting the Platform, our Users, our Suppliers, and ourselves from fraud, abuse, account takeover, payment-card misuse, sanctions risk, and money laundering.
  9. Compliance with law — meeting our legal obligations under the PDPO, the Inland Revenue Ordinance, the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, and other laws that apply to us, and responding to lawful requests from regulators, courts, and law-enforcement agencies.
  10. Business operations and product improvement — running our business in a sensible way: accounting, audit, statistics, debugging, and improving how the Platform works.
  11. Marketing of our own services — only with your express consent, as described in Section 8.

We will not use your personal data for a new purpose that is not described in this Policy without first updating this Policy and, where required, obtaining your prescribed consent.


5. Who we share your personal data with (DPP3)

The third parties below help us run the Service. Where we share personal data with them, we do so only to the extent necessary for the purposes in Section 4, and we require them by contract to protect your data and to use it only for the purpose for which we have shared it.

Recipient Role Personal data shared Where processed
LiteAPI Travel Limited Hotel inventory provider and merchant of record for bookings Guest first/last name, email, phone, nationality, dates, occupancy (including children's ages), currency, payment authorisation reference; receives back booking ID, hotel confirmation code, payment status, refund and compensation outcomes Ireland and the United States
Stripe (Stripe Payments Europe Ltd / Stripe Inc.) Payment processing (via LiteAPI's widget) and Creator payouts (Stripe Connect Accounts v2) For payment: card details entered by you directly into the Stripe-hosted iframe (we never see them); for payouts: name, email, bank country, and KYC documents that you submit directly to Stripe Ireland and the United States
Mux Video hosting, transcoding, streaming, and automated quality assessment Your uploaded video file and a passthrough containing your TroveStays post identifier United States
Supabase Our primary database, authentication, file storage, and serverless function host All personal data we store, encrypted at rest and accessible only through our own application logic and Row-Level Security policies Supabase region selected for the project (current Supabase project reference: ecipelrxasjlyvrsctdq)
Expo Push Notification Service (Expo, Inc.) Delivery of push notifications Your Expo push token, the notification title and body, and any data payload necessary to deep-link you to the right screen United States
Google Maps Platform (Google LLC) — Android only Display of maps within the app on Android devices Map viewport, hotel coordinates, and (only where you grant Android location permission) your device's approximate location Google's global infrastructure
OpenStreetMap — iOS and web Display of maps within the app on iOS and web Map viewport and hotel coordinates (no user identifier) OpenStreetMap's infrastructure
Frankfurter.app Daily foreign-exchange rate look-ups for Creator payouts in USD None — we send currency codes and dates, not personal data Public service
Our professional advisers (lawyers, accountants, auditors) Legal advice, audit, accounting Only what is necessary for the engagement Hong Kong and, where engaged, elsewhere
Regulators, courts, and law-enforcement bodies Where we are required by law to disclose Only what we are lawfully required to disclose The jurisdiction making the request
A successor in a corporate transaction Where we sell, merge, or transfer the TroveStays business Personal data necessary for the successor to continue operating the Service under the same terms (subject to your right to delete your account before transfer) Depends on the transaction

We do not sell your personal data to anyone. We do not share your personal data with third-party advertising networks. We do not run third-party advertising trackers in the app.


6. Sending personal data outside Hong Kong

6.1 Several of the recipients in Section 5 are located outside Hong Kong, principally in Ireland and the United States. That means your personal data is, in the course of normal operation of the Service, sent outside Hong Kong.

6.2 Section 33 of the PDPO, which restricts cross-border transfers, is not currently in force in Hong Kong. However, we apply the safeguards recommended by the Office of the Privacy Commissioner for Personal Data ("PCPD") in its guidance on cross-border data transfer:

6.3 We will update this Policy if section 33 PDPO comes into force or if the PCPD changes its guidance materially.


7. Reviews and how we use them

7.1 After a stay, you may submit a review of the hotel (overall score, sub-scores, and an optional written body, together with whether you were upgraded and to which room). We collect and store these reviews so that we can analyse the quality of hotels on the Platform.

7.2 At the date of this Policy, individual reviews are not displayed publicly to other Users. If we change that in the future, we will:

7.3 You can ask us to delete a review you have submitted by writing to support@trovestays.com.


8. Direct marketing (Part 6A PDPO)

8.1 Transactional notifications are not direct marketing. When we send you a booking confirmation, a payment receipt, a refund notification, a cancellation notification, a notification that someone followed you, a notification that a Creator you follow has posted, or a similar operational message, we are not engaging in direct marketing as defined in Part 6A of the PDPO. We send these to you because they are necessary to operate the Service. You can manage push notifications in your device settings; turning them off may prevent us from getting time-critical operational messages to you.

8.2 Promotional marketing is opt-in. We do not send you marketing about products or services that go beyond the operational running of the Service (for example, a curated list of recommended hotels, a marketing newsletter, or a promotional push notification) unless you have given your express consent.

8.3 What you will see if and when we ask. Where we ask for that consent, we will tell you (in compliance with section 35C PDPO):

8.4 Opt-out is free and always available. Every promotional message we send carries a free, easy way to opt out — typically an unsubscribe link in email and an in-app toggle for push notifications. We will action your opt-out without charge and as soon as reasonably practicable.

8.5 We do not sell or rent your personal data for the direct-marketing purposes of any other person, and we will not do so without your prior written consent, as required by section 35K PDPO.


9. How long we keep your personal data (DPP2)

We keep your personal data only for as long as it is necessary for the purpose for which it was collected, or for as long as we are required by law to keep it. In practice:

Data Retention
Profile data, posts, comments, follows, likes, saves Until you delete the item, or until your account is deleted, whichever comes first
Account itself Until you delete it (after which we delete personal data within 30 days, subject to backup-rotation cycles of up to 90 days and any lawful retention obligation)
Bookings and booking-related records (guest name on the booking, email used, dates, payment status, payment reference, refund and compensation outcomes) Seven (7) years from the date of the booking — consistent with record-keeping expectations under the Inland Revenue Ordinance and ordinary commercial dispute-resolution time-limits
Creator payout records (commission and payout history, clawbacks) Seven (7) years from the relevant transaction
Webhook payload logs (LiteAPI and Stripe events) 90 days, then deleted by an automated job
Pay-token / prebook-owner audit ledger 7 days, then deleted
Push notification token Until your device re-registers, you uninstall the app, or your account is deleted
Reviews Until you delete the review or your account is deleted
Post impressions (which posts you saw) While the underlying post exists and you are an account holder
Customer-support correspondence Two (2) years from closure of the support ticket, unless it relates to a matter under active legal or regulatory review
Logs that contain personal data (for example, audit and security logs) Up to two (2) years, after which they are anonymised or deleted

If a legal hold applies (for example, because of pending or threatened litigation, a regulator's request, or a tax investigation), we keep the affected records for the duration of the hold even if the retention period in the table above would otherwise have expired.


10. How we protect your personal data (DPP4)

10.1 We take practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or other use. Those steps include:

10.2 No system is perfect. If we become aware of an unauthorised access to or loss of your personal data, we will follow the PCPD's Guidance on Data Breach Handling and the Giving of Breach Notifications (in its current form). That means notifying the PCPD, notifying you, and taking remedial steps where the breach is likely to cause real risk of harm. Mandatory breach notification is not yet a statutory requirement in Hong Kong; we commit voluntarily to the PCPD-aligned standard.


11. Your rights (DPP5 and DPP6)

You have the following rights in respect of your personal data:

11.1 Right to be informed. This Policy and the PICS shown at the point of collection tell you what we do with your data.

11.2 Right of access (section 18 PDPO). You can ask us to confirm whether we hold any personal data about you and to give you a copy. We will respond within forty (40) days of receiving a properly-formulated request and proof of your identity. The PDPO permits us to charge a fee that is not excessive; in practice we waive the fee for our own Users.

11.3 Right of correction (section 22 PDPO). If any personal data we hold about you is inaccurate, you can ask us to correct it. You can also correct most account information yourself in the Profile screen.

11.4 Withdrawal of consent / opt-out of marketing. You can opt out of any direct marketing at any time, free of charge, using the unsubscribe link in the message or the in-app toggle. We will action your opt-out without delay.

11.5 Withdrawal of push notification permission. You can turn off push notifications at any time in your device's settings. Doing so may prevent us from delivering time-critical operational messages.

11.6 Account deletion. You can delete your account from the Profile screen or by writing to support@trovestays.com. Deletion removes your personal data subject to the retention rules in Section 9 (some records, especially bookings, must be retained for accounting and dispute-resolution reasons). Personal data that has already been seen, copied, or shared by other Users (for example, screenshots of a post by a follower) is outside our control.

11.7 Complaints. If you think we have mishandled your personal data, please raise it with us first at support@trovestays.com — we want to fix problems. You also have the right to complain directly to the Office of the Privacy Commissioner for Personal Data, Hong Kong, at:

11.8 How to make a request. Send any access, correction, deletion, or complaint request to support@trovestays.com. To protect your data we will ask you to verify your identity before we act.


12. International Users (non-Hong-Kong residents)

12.1 TroveStays is operated from Hong Kong under Hong Kong law. We make TroveStays available to Users in many countries. Where you use the Service from outside Hong Kong, this Policy still applies, and you accept that your personal data is processed in Hong Kong and in the third-party locations identified in Section 5.

12.2 Users in the European Economic Area, the United Kingdom, Switzerland. Even though Hong Kong law governs your relationship with us, where the General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR, or equivalent local law gives you a statutory right that we would not otherwise grant you (for example, a right to erasure, a right to data portability, a right to restrict processing, or a right not to be subject to a decision based solely on automated processing), we voluntarily honour the substantive equivalent of that right on request to support@trovestays.com. We do not formally hold a Lead Supervisory Authority and we do not have a representative in the EU at the date of this Policy; we will update this section if that changes.

12.3 Users in California, USA. Where the California Consumer Privacy Act (Civil Code section 1798.100 et seq.) gives you a statutory right (for example, to know, to delete, to correct, or to opt out of "sale" or "sharing"), we voluntarily honour the substantive equivalent on request. We do not "sell" personal data and we do not "share" personal data for cross-context behavioural advertising as those terms are defined in California law.

12.4 Users elsewhere. Wherever you are, you may write to us at support@trovestays.com and we will treat you fairly and consistently with this Policy.


13. Children

13.1 TroveStays is for adults. You must be at least 18 years old to use TroveStays. We do not knowingly collect personal data from anyone under 18. If we discover that an account belongs to a person under 18, we will suspend the account and delete the associated personal data within a reasonable time.

13.2 If you are a parent or guardian and you believe a person under 18 has provided us with personal data, please write to support@trovestays.com and we will act promptly.


14. Cookies and on-device storage

The detail of what we store on your device, and why, is in our Cookie and Tracking Notice (06-cookie-and-tracking.md). In summary: we use first-party storage to keep you signed in, to remember your preferences, to cache rates so the app is fast, and to record which posts you have seen so we do not repeat them. We do not run third-party advertising trackers and we do not sell behavioural data.


15. Changes to this Policy

15.1 We may update this Policy from time to time. When we do, we will:

15.2 If you do not accept a material change, you can close your account before it takes effect.


16. How to contact us about your personal data


Version history

Version Date Notes
1.0 2026-06-11 Initial public version.